What is SecOps, and why should you care?
If DevOps is still in its infancy years, then SecOps is barely out of the womb. It's going to become more important over time, particularly if organizations find their agile and fast continuous delivery efforts start to open up security holes.
In an interview with Todd Vernon, founder and CEO of VictorOps, I started with the basics of SecOps, which he said is still in such an early phase of development that there is no standard definition or any vendors really tackling the problem (yet). What is SecOps? It's essentially taking DevOps methodologies and applying them to security. That may sound a bit wishy-washy, as it's an idea that's still developing.
The concept of SecOps is what's coming up as a hot topic in DevOps. And it started 15 years ago with the Agile methodology, which helped to speed up application development and involving all stakeholders to ensure new (and useful) features were being pushed out to test and production. Later came continuous delivery, which is one of the hottest topics right now. Whereas Agile enabled new features every two weeks, continuous delivery makes it possible to launch new features and changes multiple times a week or multiple times a day.
However, that's basically forcing function through the system, Vernon said. The problem with constantly changing software and infrastructure is DevOps teams are theoretically creating vulnerabilities in the system.
"The natural consequence of all of this change in 15 years is you can really realize the dream of what everybody wanted ... but the outcome of that and the down side of it is a couple of things. One, testing is a real problem ... The other one is this idea that the security of your system is probably somewhat in question in a world like this," Vernon said.
The natural inclination may be to lock the system down, but doing so would mean losing all the benefits gained over the last 15 years from Agile and DevOps. But the question remains: How do you gain security over these new systems?
There's no easy answer to the question, unfortunately.
"It's absolutely a thing. Has anyone really done much in the space? I don't think so," Vernon said. "All I know is I'm starting to hear from venture capitalists that they're starting to look at startups in this space."
Vernon expects monitoring companies to be among the first to start tackling the problem, but he also hinted there are several startups pitching ideas to investors right now. Without the tools and technology to help at the moment, though, Vernon said there are a few things DevOps teams can keep in mind to help boost the security in a constantly changing application.
Ensuring strong security is in place and security audits are being done in a frequent and meaningful way. A static system is more secure, but that's not as helpful to a DevOps-oriented way of doing things.
"If your business is creating a cloud service, then I think your vulnerability is higher, and I think that's the thing everyone will wrestle with over the next 10 years," Vernon said. Software-as-a-Service providers need to be on top of security even as they continue to iterate faster simply because their reputations are at stake.
"I think your best bet is to use classic methodologies of penetration tests, but do them at a higher frequency than you have historically done them in the past," Vernon said.
Continuous security testing will replace the idea of doing penetration tests every three to six months.
"There's definitely room for improvement is kind of the takeaway. It's an area ripe for innovation. I don't know if it's super scary, but I think there's an increasing vulnerability there as companies become much quicker at iterating on their systems."